Security of quantum bit string commitment depends on the information measure 
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Unconditionally secure non-relativistic bit commitment is known to be impossible in both the 
classical and the quantum world. However, when committing to a string of n bits at once, how far 
can we stretch the quantum limits? In this letter, we introduce a framework of quantum schemes 
where Alice commits a string of n bits to Bob, in such a way that she can only cheat on a bits 
and Bob can learn at most b bits of information before the reveal phase. Our results are two-fold: 
we show by an explicit construction that in the traditional approach, where the reveal and guess 
probabilities form the security criteria, no good schemes can exist: a + b is at least n. If, however, 
we use a more liberal criterion of security, the accessible information, we construct schemes where 
a = 41og 2 n + O(l) and 6 = 4, which is impossible classically. Our findings significantly extend 
known no-go results for quantum bit commitment. 

PACS numbers: 



Imagine two mutually distrustful parties Alice and Bob 
at distant locations. They can only communicate over a 
channel, but want to play the following game: Alice se- 
cretly chooses a bit x. Bob wants to be sure that Alice 
indeed has made her choice. Yet, Alice wants to keep x 
hidden from Bob until she decides to reveal x. To con- 
vince Bob that she made up her mind, Alice sends Bob a 
commitment. From the commitment alone, Bob cannot 
deduce x. At a later time, Alice reveals x and enables 
Bob to open the commitment. Bob can now check if Alice 
is telling the truth. This scenario is known as bit commit- 
ment. Commitments play a central role in modern day 
cryptography. They form an important building block in 
the construction of larger protocols in, for example, gam- 
bling and electronic voting, and other instances of secure 
two-party computation. In the realm of quantum me- 
chanics, it has been shown that oblivious transfer |l[ can 
be achieved provided there exists a secure bit commit- 
ment scheme [2|, |3[ . In turn, classical oblivious transfer 
can be used to perform any secure two-party computa- 
tion Commitments are also useful for constructing 
zero-knowledge proofs [5[ and lead to coin tossing [6( . 

Classically, unconditionally secure non-relativistic bit 
commitment is known to be impossible. Unfortunately, 
after several quantum schemes were suggested 0, non- 
relativistic quantum bit commitment was shown to be 
impossible, to o [j , 0, even in the presence of supers- 
election rules [10j. In fact, only very limited degrees of 
concealment and bindingness can be obtained (llT | . It has 
been shown that the quantum no-go theorems do not ap- 
ply to protocols which use two or more sites and take 
account of relativistic signaling constraints. We work in 
the non-relativistic quantum mechanical setting, hence 
all presented results are referring to this setting only. In 



the face of the negative results regarding this setting, 
what can we still hope to achieve? 

In this letter, we consider the task of committing to a 
string of n bits at once when both the honest player and 
the adversary have unbounded resources. Since perfect 
bit commitment is impossible, perfect bit string commit- 
ment is impossible, too. We thus give both Alice and Bob 
a limited ability to cheat. First, we introduce a frame- 
work for the classification of bit string commitments in 
terms of the length n of the string, Alice's ability to cheat 
on at most a bits and Bob's ability to acquire at most b 
bits of information before the reveal phase. We say that 
Alice can cheat on a bits if she can reveal up to 2 a strings 
successfully. Bob's security definition is crucial to our in- 
vestigation: If b determines a bound on his probability to 
guess Alice's string, then we prove that a + 6 is at least n. 
This implies that the trivial protocol, where Alice's com- 
mitment consists of sending b bits of her string to Bob, 
is optimal. If, however, & is a bound on the accessible in- 
formation that the quantum states contain about Alice's 
string, then we show that non-trivial schemes exist. More 
precisely, we construct schemes with a — 41og 2 n + 0(1) 
and 6 = 4. This is impossible classically. 

Quantum commitments of strings have previously 
been considered by Kent [l2j], who pointed out that 
in the quantum world useful bit string commitments 
could be possible despite the no-go theorem for bit 
commitment. His scenario differs significantly from 
ours and imposes an additional constraint, which is 
not present in our work: Alice does not commit to a 
superposition of strings. 

Framework. 

Definition 1 An (n, a, 6)- Quantum Bit String Commit- 
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merit ( QBSC) is a quantum communication protocol be- 
tween two parties, Alice (the committer) and Bob (the 
receiver) , which consists of two phases and two security 
requirements. 

• (Commit Phase) Assume that both parties are hon- 
est. Alice chooses a string x £ {0, 1}" with prob- 
ability p x . Alice and Bob communicate and at the 
end Bob holds state p x . 

• (Reveal Phase) If both parties are honest, Alice and 
Bob communicate and at the end Bob learns x. Bob 
accepts. 

• (Concealing) If Alice is honest, J2 X £{o,i}™ P x \ x - 
2 b , where p^< is the probability that Bob correctly 
guesses x before the reveal phase given p x . 

• (Binding) If Bob is honest, then for all commit- 
ments of Alice: J2 x e{o i} n Px — 2°, where p x is the 
probability that Alice successfully reveals x. 

We say that Alice successfully reveals a string x if Bob 
accepts the opening of x, i.e. he performs a test depend- 
ing on the individual protocol to check Alice's honesty 
and concludes that she was indeed honest. Note that 
quantumly, Alice can always commit to a superposition 
of different strings without being detected. Thus even for 
a perfectly binding bit string commitment (i.e. a — 0) we 
only demand that X^e{o i} n Px ^ 1> whereas classically 
one wants that p^, = 6 XyX r. Note that our concealing 
definition reflects Bob's a priori knowledge about x. We 
choose an a priori uniform distribution (i.e. p x — 2~ n ) 
for (n, a, 6)-QBSCs, which naturally comes from the fact 
that we consider n-bit strings. A generalization to any 
(Px, a, 6)-QBSC where Px is an arbitrary distribution 
is possible but omitted in order not to obscure our main 
line of argument. Instead of Bob's guessing probability, 
one can take any information measure B to express 
the security against Bob. In general, we consider an 
(n, a, 6)-QBSC B where the new Concealing-condition 
reads B(£ ) < b with ensemble £ = {p x , p x }. In the latter 
part of this letter we show that for B being the accessible 
information non-trivial protocols, i.e. protocols with 
a + b <C ?i, exist. The accessible information is defined 
as I acc {£) = maxM/(X;F), where Px is the prior 
distribution of the random variable X, Y is the random 
variable of the outcome of Bob's measurement on £ , and 
the maximization is taken over all measurements M. 

Impossibility. Our impossibility result will be proven in 
three steps: we first show that any (n, a, 6)-QBSC is 
also an (n, a, 6)-QBSC^ with the security measure £(£ ) 
defined below in eq. (|T]). Secondly, we prove that an 
(n, a, 6)-QBSC(: can only exist for values a, b and n obey- 
ing a + b + c> n, where c is a small constant independent 
of a, b and n. This in turn implies the impossibility of 



an (n, a, 6)-QBSC for such parameters. Finally, we show 
that many executions of the protocol can only be secure 
if a + b > n. Before we proceed to the proof, we introduce 
a few tools from quantum information theory. 

We work in the model of two-party non-relativistic 
quantum protocols of Yao [3(, simplified by Lo and 
Chau § which is usually adopted in this context. Here, 
any two-party quantum protocol can be regarded as a 
pair of quantum machines (Alice and Bob), interacting 
through a quantum channel. Consider the product of 
three Hilbert spaces Ha, Hb and He of bounded di- 
mensions representing the Hilbert spaces of Alice's and 
Bob's machines and the channel, respectively. Without 
loss of generality, we assume that each machine is ini- 
tially in a specified pure state. Alice and Bob perform 
a number of rounds of communication over the channel. 
Each such round can be modeled as a unitary transfor- 
mation on Ha <8> He and Hb ® He respectively. Since 
the protocol is known to both Alice and Bob, they know 
the set of possible unitary transformations used in the 
protocol. We assume that Alice and Bob are in posses- 
sion of both a quantum computer and a quantum storage 
device. This enables them to add ancillae to the quan- 
tum machine and use reversible unitary operations to 
replace measurements. By doing so, Alice and Bob can 
delay measurements and thus we can limit ourselves to 
protocols where both parties only measure at the very 
end. Moreover, any classical computation or communi- 
cation that may occur can be simulated by a quantum 
computer. 

We now show that every (n, a, 6)-QBSC is an (n, a, b)- 
QBSCj. The security measure £(£) is defined by 

Z(£) = n-H 2 ( PAB \p), (1) 

where p AB = J2 x Px\x)(x\ <£> p x and p = J2 x p x Px are 
only dependent on the ensemble £ = {p x ,p x }. i?2("|") 
is an entropic quantity defined in [131 ] H2(p AB \p) = 
— log Tr( (I® p~i)pab) 2 ■ This quantity is directly con- 
nected to Bob's maximal average probability of successful 
guessing the string: 

Lemma 1 Bob's maximal average probability of 
successfully guessing the committed string, i.e. 
sw$m'52 x PxP x \ x where M ranges over all mea- 
surements and p y L is the conditional probability of 
guessing y given p x , is larger or egual to 2~ H2 ( pAB \ p \ 

Proof: By definition the maximum average guessing 
probability is lower bounded by the average guessing 
probability for a particular measurement strategy. We 
choose the sguare-root measurement which has operators 
M x = p x p~*p x p~*. p®\ x = Tv(M x p x ) is the probability 
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that Bob guesses x given p x , hence 

X X 

= log 2 Tr Q(I®p^)p AB ] 2 ^ 
= -H 2 (pab\p)- 

Related estimates were derived in [lij ]. For the uniform 
distribution p x — 2~ n we have from the concealing con- 
dition that J2 x Px\x — 2 6 which by Lemma Q] implies 
£(£) < b. Thus, every (n, a, fe)-QBSC is an (n,a,b)- 
QBSC e 

We make use of the following theorem, known as pri- 
vacy amplification against a quantum adversary. In our 
case, Bob holds the quantum memory and privacy am- 
plification is used to find Alice's attack. 

Theorem 1 (Th. 5.5.1 in [13] (see also [lij])) 

Let Q be a class of two-universal hash functions \2h\ l 
from {0,1}" to {0, 1} S . Application of g G Q to the 
random variable X maps the ensemble £ = {p x ,Px} to 
£ g = {<2f,of} with probabilities q 9 = J^xeg-HyjP* and 
quantum states a 9 = J2xeg- 1 (y)P x P x - Then 

^£d(£ s )< V^-IP)-], (2) 
M g^Q 1 

where d(£) = 5^J2 x Px\x)(x\^p x ,I/2 n (S>p) (and similarly 
for d(£ g ) ) and S(a, j3) = ^Tr|a — j3\. 

The following reasoning is used to prove the impossi- 
bility of quantum bit commitment @, 0| : Suppose po and 
pi are density operators that correspond to a commit- 
ment of a "0" or a "1" respectively. Let |0o) and |0i) 
be the corresponding purifications on the joint system of 
Alice and Bob. If po equals p\ then Alice can find a lo- 
cal unitary transformation U that Alice can apply to her 
part of the system such that |0i) = U <g> I|</>o). This en- 
ables Alice to change the total state from |^o) to \4>\) and 
thus cheat. This reasoning also holds in an approximate 
sense Q , here used in the following form 26] : 

Lemma 2 Let S(po,p\) < e and assume that the bit- 
commitment protocol is error-free if both parties are hon- 
est. Then there is a method for Alice to cheat such that 
the probability of successfully revealing a given that she 
committed to a 1 is greater or equal to 1 — \/2e. 

Now, we can prove our impossibility result. 

Theorem 2 (n, a,b)-QBSC^ schemes, and thus also 
(n, a, b)-QBSC schemes, with a + b + c < n do not ex- 
ist, c is a constant equal to 51og 2 5 — 4 « 7.61. 

Proof: Consider an (n, a. fe)-QBSC ? and the case where 
both Alice and Bob are honest. Alice committed to 



x. We denote the joint state of the system Alice-Bob- 
Channel Ha ®H.b® He after the commit phase by \<f> x ) 
for input state |a;). Let p x be Bob's reduced density ma- 
trix, and let £ — {p x , p x } where p x — 2~ n . 

Assuming that Bob is honest, we will give a cheating 
strategy for Alice in the case where a+b+5 log 2 5 — 4 < n. 
The strategy will depend on the two-universal hash func- 
tion g : X = {0,1}" -> y = {0,1}"-'", for appropri- 
ately chosen m. Alice picks a y £ y and constructs the 

state CLxeg-Hy) \ x )\ x ))/ VW^\W\- She then S ives the 
second half of this state as input to the protocol and 
stays honest for the rest of the commit phase. The joint 
state of Alice and Bob at the end of the commit phase 
is thus \r y ) = (Exe g -Hv)\ x ^VV\FWl The re- 
duced states on Bob's side are a 9 , = ■^Ylxeg- 1 (y)P x P x 
with probability q 9 = J2xe g - 1 (y)P x - We denote this en- 
semble by £ g . Let a = a 9 = J2 y a y a y f° r ah <?• 

We now apply Theorem [1] with s = n — m and £(£) < b 
and obtain -^J2 ge g d ( S g) < £ where £ = \2~^ m - b \ 
Hence, there is at least one g such that d(£ g ) < e; intu- 
itively, this means that Bob knows only very little about 
the value of g(x). This g defines Alice's cheating strategy. 
It is straightforward to verify that d(£ g ) < e implies 

2 -(n-m)J2s(a,^ y )<2 S . (3) 
y 

Let us therefore assume without loss of generality that 
Alice chooses yo e y with S(a 9 g ,a) < 2s. 

Clearly, the probability to successfully reveal some x 
in g~ 1 (y) given \ip^} is one [27| • Thus the probability to 
reveal y (i.e. to reveal an x such that y = g(x)) given \ip 9 ) 
successfully is one. Let p x and q 9 denote the probabilities 
to successfully reveal x and y respectively and p 9 x ^ y be the 
conditional probability to successfully reveal x, given y. 
We have E»ftr = E» ^ Ese^v) P 9 x\y>E y Q 9 y 

Recall that Alice can transform \ip^ ) approximately 
into \ifjy) if o~ 9 o is sufficiently close to a 9 by using only lo- 
cal transformations on her part. It follows from LemmaH] 
that we can estimate the probability of revealing y, given 
that the state was really \ip yo ). Since this reasoning ap- 
plies to all y, on average, we have 

> £(i-2*«(o* >0 *)*) 

y y 

> 2 n ~ m -2h n - m (2 m - n J2 5 (°'yoi< 7 y)) i 

y 

> 2 n - m [l-2H2 m - n (Y / S(al,a)+S(a,a 9 )))^ 

y 

> 2"- m (l-2(2e)5), 

where the first inequality follows from Lemma [2] the sec- 
ond from Jensen's inequality and the concavity of the 
square root function, the third from the triangle inequal- 
ity and the fourth from eq. © and S(a 9 ,a) < 2e. Re- 
call that to be secure against Alice, we require 2 a > 
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2 n- 

m - 



n (l - 2(2e)s). We insert e = ±2-^ m - b \ define 
6 + 7 and take the logarithm on both sides to get 



a + b + 6 > n, 



(4) 



where <5 = 7 — log(l — 2 >/ 4+1 ). Keeping in mind that 
1 — 2 >'/ 4 + 1 > (or equivalently 7 > 4), we find that 
the minimum value of 8 for which eq. ([4]) is satisfied is 
S = 5 log 2 5 — 4 and arises from 7 = 4(log 2 5 — 1). Thus, 
no (n, a, 6)-QBSC ? with a + b + 5 log 2 5 — 4 < n exists. □ 
Since the constant c does not depend on a, b and n, 
multiple parallel executions of the protocol can only be 
secure if a + b > n: 

Corollary 1 Let P be an (n,a,b)-QBSC with P m an 
(rnn,ma,mb)-QBSC. Then n < a + b + c/m. In par- 
ticular, no (n, a, b)-QBSC with a + b < n can be executed 
securely an arbitrary number of times in parallel. The 
latter statement also applies to (n, a, b) — QBSC x s, where 
X denotes the Holevo information of the ensemble E fP%] - 

It follows directly from that the results in this 
section also hold in the presence of superselection rules. 

Possibility. Surprisingly, if one is willing to measure 
Bob's ability to learn x using the accessible information 
non-trivial protocols become possible. These protocols 
are based on a discovery known as "locking of classical 
information in quantum states" [l8| . The protocol, which 
we call LOCKCOM(n, U), uses this effect and is specified 
by a set U = {Lq, . . . , U\u\} of unitaries. 

• Commit phase: Alice has the string x £ {0, 1}™ and 
randomly chooses r G {1, . . . , She sends the 
state U r \x) to Bob, where U r G U. 

• Reveal phase: Alice announces r and x. Bob ap- 
plies Iff and measures in the computational basis 
to obtain x' . He accepts if and only if x' — x. 

As a first observation, the number of unitaries \U\ limits 
the number of different ways of revealing a string, i.e. 
2 a < \U\ [2^|. Furthermore we have adapted the work 
in [l9[ in order to show that there exist 0(n 4 ) unitaries 
that bring Bob's accessible information down to a con- 
stant: I aC c(£) < 4 [13, Appendix B.2]. In summary: 

Theorem 3 Forn > 3, there exist (n, 41og 2 n+0(l), 4)- 
QBSCj protocols. 

The protocol is as follows: Alice chooses a set of 0(n A ) 
unitaries independently according to the Haar measure 
(approximated) and announces the resulting set hi to 
Bob. They then perform LOCKCOM(n, U). Our anal- 
ysis shows that this variant is secure against Bob with 
high probability. Unfortunately, the protocol is ineffi- 
cient both in terms of computation and communication. 
It remains open to find an efficient constructive scheme 
with those parameters. 



In contrast, for only two bases, an efficient construc- 
tion exists and uses the identity and the Hadamard trans- 
form as unitaries. From [l|| (see also (i3|) it then fol- 
lows that LOCKCOM(n, {I® n , H®_H) is an (n, l,n/2)- 
QBSC Jacc protocol. As shown in 2l|, this protocol can 
be made cheat sensitive [22| for Bob, i.e. any nonzero 
information-gain by Bob will be detected by Alice with 
nonzero probability. 

A drawback of weakening the security requirement is 
that LOCKCOM protocols are not necessarily compos- 
able. Therefore, if LOCKCOM is used as a sub-protocol 
in a larger protocol, the security of the resulting scheme 
has to be evaluated on a case by case basis. However, 
LOCKCOM protocols are secure when executed in par- 
allel. This is a consequence of the definition of Alice's 
security parameter and the additivity of the accessible 
information 231 ] . and sufficient for many cryptographic 
purposes. 

Conclusion We have introduced a framework for quan- 
tum commitments to a string of bits and shown that 
under strong security requirements (e.g. bounded guess- 
ing probability or Holevo information), non-trivial pro- 
tocols do not exist. A property of quantum states known 
as locking, however, allowed us to propose meaningful 
protocols for a weaker security demand: Alice encodes 
her classical n bit string into a quantum state in such a 
way that no measurement on Bob's side will yield high 
mutual information with the commitment. Alice is gen- 
uinely committed, because the quantum states that she 
sent contain almost the complete commitment, i.e. have 
high Holevo information. 
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